Global Arguments
$ bloodyAD -h
usage: bloodyAD [-h] [-d DOMAIN] [-u USERNAME] [-p PASSWORD]
[-k [KERBEROS ...]] [-f {b64,hex,aes,rc4,default}]
[-c [CERTIFICATE]] [-s] -H HOST [-i DC_IP] [--dns DNS]
[-t TIMEOUT] [--gc] [-v {QUIET,INFO,DEBUG,TRACE}] [--json]
{add,get,msldap,remove,set} ...
AD Privesc Swiss Army Knife
options:
-h, --help show this help message and exit
-d DOMAIN, --domain <domain>
Domain used for NTLM authentication
-u USERNAME, --username USERNAME
Username used for NTLM authentication
-p PASSWORD, --password PASSWORD
password or LMHASH:NTHASH for NTLM authentication,
password or AES/RC4 key for kerberos, password for
certificate (Do not specify to trigger integrated
windows authentication)
-k [KERBEROS ...], --kerberos [KERBEROS ...]
Enable Kerberos authentication. If '-p' is provided it
will try to query a TGT with it. You can also provide
a list of one or more optional keywords as '-k
kdc=192.168.100.1 kdcc=192.168.150.1
realmc=foreign.realm.corp
<keyfile_type>=/home/silver/Admin.ccache',
<keyfile_type> being ccache, kirbi or keytab, 'kdc'
being the kerberos server for the keyfile provided and
'realmc' and 'kdcc' for cross realm (the realm of the
'--host' provided)
-f {b64,hex,aes,rc4,default}, --format {b64,hex,aes,rc4,default}
Specify format for '--password' or '-k <keyfile>'
-c [CERTIFICATE], --certificate [CERTIFICATE]
Schannel authentication or krb pkinit if -k also
provided, e.g: "path/to/key:path/to/cert" (Use Windows
Certstore with krb if left empty)
-s, --secure Use LDAP/GC over TLS (LDAPS/GCS). Use -ss to remove
all encryption/signing (useful for debug).
-H HOST, --host HOST Hostname or IP of the DC (ex: my.dc.local or
172.16.1.3)
-i DC_IP, --dc-ip DC_IP
IP of the DC (useful if you provided a --host which
can't resolve)
--dns DNS IP of the DNS to resolve AD names (useful for inter-
domain functions)
-t TIMEOUT, --timeout TIMEOUT
Connection timeout in seconds
--gc Connect to Global Catalog (GC)
-v {QUIET,INFO,DEBUG,TRACE}, --verbose {QUIET,INFO,DEBUG,TRACE}
Adjust output verbosity
--json Output results in JSON format
Commands:
{add,get,msldap,remove,set}
add [ADD] function category
get [GET] function category
msldap [MSLDAP] function category
remove [REMOVE] function category
set [SET] function category
Commands Arguments
add Commands
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> add -h
usage: bloodyAD add [-h]
{badSuccessor,computer,dcsync,dnsRecord,genericAll,groupMember,rbcd,shadowCredentials,uac,user}
...
options:
-h, --help show this help message and exit
add commands:
{badSuccessor,computer,dcsync,dnsRecord,genericAll,groupMember,rbcd,shadowCredentials,uac,user}
badSuccessor Add a new DMSA (Dedicated Managed Service Account)
object
computer Add new computer
dcsync Add DCSync right on domain to provided trustee
(Requires to own or to have WriteDacl on domain
object)
dnsRecord This function adds a new DNS record into an AD
environment.
genericAll Give full control to trustee on target and descendants
(you must own the object or have WriteDacl)
groupMember Add a new member (user, group, computer) to group
rbcd Add Resource Based Constraint Delegation for service
on target, used to impersonate a user on target with
service (Requires "Write" permission on target's msDS-
AllowedToActOnBehalfOfOtherIdentity and Windows Server
>= 2012)
shadowCredentials Add Key Credentials to target (try to find a suitable
DC if provided DC is below Win2016), and use those
credentials to retrieve a TGT and a NT hash using
PKINIT.
uac Add property flags altering user/computer object
behavior
user Add a new user
add badSuccessor
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> add badSuccessor -h
usage: bloodyAD add badSuccessor [-h] [-t T] [--ou OU] dmsa
positional arguments:
dmsa hostname of the DMSA object (no need to add '$')
options:
-h, --help show this help message and exit
-t T Distinguished Name of the target whose privileges are to be
assumed (can be called multiple times, e.g. "-t
CN=Admin,CN=Users,DC=domain,DC=com -t
CN=John,CN=Users,DC=domain,DC=com") (default:
['CN=Administrator,CN=Users,DC=Current,DC=Domain'])
--ou OU Organizational Unit for the DMSA object. If not provided,
chooses the first OU the logged user can add child to. (default:
None)
add computer
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> add computer -h
usage: bloodyAD add computer [-h] [--ou OU] [--lifetime LIFETIME]
hostname newpass
positional arguments:
hostname computer name (without trailing $)
newpass password for computer
options:
-h, --help show this help message and exit
--ou OU Organizational Unit for computer (default: DefaultOU)
--lifetime LIFETIME lifetime of new computer in seconds, if non-zero
creates it as a dynamic object (default: 0)
π‘ Tip
Make sure to provide the domain FQDN as domain global argument `-d bloody.lab` or you will run into an issue as `problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9026b (dNSHostName)`
add dcsync
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> add dcsync -h
usage: bloodyAD add dcsync [-h] trustee
positional arguments:
trustee sAMAccountName, DN or SID of the trustee
options:
-h, --help show this help message and exit
add dnsRecord
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> add dnsRecord -h
usage: bloodyAD add dnsRecord [-h] [--dnstype {A,AAAA,CNAME,MX,PTR,SRV,TXT}]
[--zone ZONE] [--ttl TTL]
[--preference PREFERENCE] [--port PORT]
[--priority PRIORITY] [--weight WEIGHT]
[--forest]
name data
positional arguments:
name name of the dnsNode object (hostname) which will
contain the new record
data DNS record data, for most record types this will be
the destination hostname or IP address, for TXT
records this can be used for text
options:
-h, --help show this help message and exit
--dnstype {A,AAAA,CNAME,MX,PTR,SRV,TXT}
DNS record type (default: A)
--zone ZONE DNS zone (default: CurrentDomain)
--ttl TTL DNS record TTL, time in seconds the record stays in
DNS caches, must be low if you want to propagate
record updates quickly (default: 300)
--preference PREFERENCE
DNS MX record preference, must be lower than the
concurrent records to be chosen (default: 10)
--port PORT listening port of the service in a DNS SRV record
(default: None)
--priority PRIORITY priority of a DNS SRV record against concurrent, must
be lower to be chosen, if identical to others, highest
weight will be chosen (default: 10)
--weight WEIGHT weight of a DNS SRV record against concurrent, must be
higher with the lowest priority to be chosen (default:
60)
--forest if set, registers dns record in forest instead of
domain (default: False)
Simplest usage:
$ bloodyAD --host 10.1.0.4 -u <username> -p <password> -d bloody add dnsRecord test.bloody.local 8.8.8.8
add genericAll
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> add genericAll -h
usage: bloodyAD add genericAll [-h] target trustee
positional arguments:
target sAMAccountName, DN or SID of the target
trustee sAMAccountName, DN or SID of the trustee which will have full
control on target
options:
-h, --help show this help message and exit
add groupMember
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> add groupMember -h
usage: bloodyAD add groupMember [-h] group member
positional arguments:
group sAMAccountName, DN or SID of the group
member sAMAccountName, DN or SID of the member
options:
-h, --help show this help message and exit
π Note
Support Foreign Users
add rbcd
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> add rbcd -h
usage: bloodyAD add rbcd [-h] target service
positional arguments:
target sAMAccountName, DN or SID of the target
service sAMAccountName, DN or SID of the service account
options:
-h, --help show this help message and exit
add shadowCredentials
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> add shadowCredentials -h
usage: bloodyAD add shadowCredentials [-h] [--path PATH] target
positional arguments:
target sAMAccountName, DN or SID of the target
options:
-h, --help show this help message and exit
--path PATH filepath for the generated credentials (TGT ccache or pfx if
PKINIT fails) (default: CurrentPath)
β οΈ Warning
- DC must run at least Windows Server 2016 (msDS-KeyCredentialLink only available since 2016 AD Schema), to verify:
- query the RootDSE of the DC `get object ''` and verify domainControllerFunctionality is 7 or above
- or the nTDSDSA of the DC e.g.: `get object CN=NTDS Settings,CN=ALLMIGHTY,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=bloody,DC=lab --attr msDS-Behavior-Version`
- Be in a domain where the DC has AD CS enabled or a certificate authority set up in order for the PKINIT to work
add uac
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> add uac -h
usage: bloodyAD add uac [-h] [-f F] target
positional arguments:
target sAMAccountName, DN or SID of the target
options:
-h, --help show this help message and exit
-f F name of property flag to add, can be called multiple times if
multiple flags to add (e.g -f DONT_REQ_PREAUTH -f
DONT_EXPIRE_PASSWORD) (default: None)
add user
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> add user -h
usage: bloodyAD add user [-h] [--ou OU] [--lifetime LIFETIME]
sAMAccountName newpass
positional arguments:
sAMAccountName sAMAccountName for new user
newpass password for new user
options:
-h, --help show this help message and exit
--ou OU Organizational Unit for new user (default: DefaultOU)
--lifetime LIFETIME lifetime of new user in seconds, if non-zero creates it
as a dynamic object (default: 0)
get Commands
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> get -h
usage: bloodyAD get [-h]
{bloodhound,children,dnsDump,membership,object,search,trusts,writable}
...
options:
-h, --help show this help message and exit
get commands:
{bloodhound,children,dnsDump,membership,object,search,trusts,writable}
bloodhound BloodHound CE collector (WARNING: This script is still
in development. It only provides the basics - ADCS ESC
and other complex nodes aren't supported yet)
children List children for a given target object
dnsDump Retrieve DNS records of the Active Directory
readable/listable by the user
membership Retrieve SID and SAM Account Names of all groups a
target belongs to
object Retrieve LDAP attributes for the target object
provided, binary data will be outputted in base64
search Search in LDAP database, binary data will be outputted
in base64
trusts Display trusts in an ascii tree starting from the DC
domain as tree root. A->B means A can auth on B and
A-<B means B can auth on A, A-<>B means bidirectional
writable Retrieve objects writable by client
get bloodhound
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> get bloodhound -h
usage: bloodyAD get bloodhound [-h] [--transitive] [--path PATH]
options:
-h, --help show this help message and exit
--transitive if set, will try to reach trusts to have more complete results
(you should start from a dc of your user domain to have more
complete results) (default: False)
--path PATH filepath for the generated zip file (default: CurrentPath)
get children
List children for a given target object:
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> get children -h
usage: bloodyAD get children [-h] [--target TARGET] [--otype OTYPE] [--direct]
options:
-h, --help show this help message and exit
--target TARGET sAMAccountName, DN or SID of the target (default: DOMAIN)
--otype OTYPE special keyword "useronly" or objectClass of objects to
fetch e.g. user, computer, group, trustedDomain,
organizationalUnit, container, groupPolicyContainer, msDS-
GroupManagedServiceAccount, etc (default: *)
--direct Fetch only direct children of target (default: False)
get dnsDump
Retrieve DNS records of the Active Directory readable/listable by the user:
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> get dnsDump -h
usage: bloodyAD get dnsDump [-h] [--zone ZONE] [--no-detail] [--transitive]
options:
-h, --help show this help message and exit
--zone ZONE if set, prints only records in this zone (default: None)
--no-detail if set doesn't include system records such as _ldap,
_kerberos, @, etc (default: False)
--transitive if set, try to fetch dns records in AD trusts (you should
start from a DC of your user domain to have exhaustive
results) (default: False)
--zone can be used e.g. to display only our domain zone --zone bloody.local
get membership
Retrieve SID and SAM Account Names of all groups a target belongs to:
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> get membership -h
usage: bloodyAD get membership [-h] [--no-recurse] target
positional arguments:
target sAMAccountName, DN or SID of the target
options:
-h, --help show this help message and exit
--no-recurse if set, doesn't retrieve groups where target isn't a direct
member (default: False)
If
--no-recurse is set, and our target john belongs to a group printer admins which belongs to Domain Admins, Domain Admins will not be displayed in the result.
get object
Retrieve LDAP attributes for the target object provided, binary data will be outputted in base64:
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> get object -h
usage: bloodyAD get object [-h] [--attr ATTR] [--resolve-sd] [--raw]
[--transitive]
target
positional arguments:
target sAMAccountName, DN or SID of the target (if you give an empty
string "" prints rootDSE)
options:
-h, --help show this help message and exit
--attr ATTR attributes to retrieve separated by a comma, retrieves all the
attributes by default (default: *)
--resolve-sd if set, permissions linked to a security descriptor will be
resolved (see bloodyAD github wiki/Access-Control for more
information) (default: False)
--raw if set, will return attributes as sent by the server without
any formatting, binary data will be outputted in base64
(default: False)
--transitive if set with "--resolve-sd", will try to resolve foreign SID by
reaching trusts (default: False)
Examples:
# Get group members
bloodyAD -u <username> -d bloody -p <password> --host <target> get object "Domain Admins" --attr member # Get UserAccountControl flags
# Get User account controls (e.g. see if user is locked)
bloodyAD -u <username> -d bloody -p <password> --host <target> get object john.doe --attr userAccountControl
# Read GMSA account password
bloodyAD -u <username> -d bloody -p <password> --host <target> get object 'gmsaAccount$' --attr msDS-ManagedPassword
# Read LAPS password
bloodyAD -u <username> -d bloody -p <password> --host <target> get object 'COMPUTER$' --attr ms-Mcs-AdmPwd
get search
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> get search -h
usage: bloodyAD get search [-h] [--base BASE] [--filter FILTER] [--attr ATTR]
[--resolve-sd] [--raw] [--transitive] [-c C]
options:
-h, --help show this help message and exit
--base BASE DN of the parent object (default: DOMAIN)
--filter FILTER filter to apply to the LDAP search (see Microsoft LDAP
filter syntax) (default: (objectClass=*))
--attr ATTR attributes to retrieve separated by a comma (default: *)
--resolve-sd if set, permissions linked to a security descriptor will be
resolved (see bloodyAD github wiki/Access-Control for more
information) (default: False)
--raw if set, will return attributes as sent by the server
without any formatting, binary data will be outputed in
base64 (default: False)
--transitive if set with "--resolve-sd", will try to resolve foreign SID
by reaching trusts (default: False)
-c C if set, will use the controls for extended search
operations, e.g. "-c 1.2.840.113556.1.4.2064 -c
1.2.840.113556.1.4.2065" to display tombstoned, deleted and
recycled objects and their linked attributes (default: [])
π Note
You can filter by binary attributes by giving escaped bytes of data, e.g.:
`get search --filter '(attributeSecurityGuid=b\BC\05X\C9\BD\28D\A5\E2\85j\0FL\18\5E)' --attr=ldapDisplayName --base CN=Schema,CN=Configuration,DC=BLOODY,DC=LAB`
get trusts
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> get trusts -h
usage: bloodyAD get trusts [-h] [--transitive]
options:
-h, --help show this help message and exit
--transitive Try to fetch transitive trusts (you should start from a dc of
your user domain to have more complete results) (default:
False)
get writable
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> get writable -h
usage: bloodyAD get writable [-h]
[--otype {ALL,OU,USER,COMPUTER,GROUP,DOMAIN,GPO}]
[--right {ALL,WRITE,CHILD}] [--detail]
[--exclude-del] [--bh]
options:
-h, --help show this help message and exit
--otype {ALL,OU,USER,COMPUTER,GROUP,DOMAIN,GPO}
type of writable object to retrieve (default: ALL)
--right {ALL,WRITE,CHILD}
type of right to search (default: ALL)
--detail if set, displays attributes/object types you can
write/create for the object (default: False)
--exclude-del if set, exclude deleted objects (default: False)
--bh if set, creates a BloodHound-compatible Zip file with
the writable objects found (default: False)
msldap Commands
β οΈ Warning
Commands below are experimental
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap -h
usage: bloodyAD msldap [-h]
{add_genericwrite,addallowedtoactonbehalfofotheridentity,addcerttemplatenameflagaltname,addcomputer,addenrollmentright,addhostname,addprivaddmember,addprivdcsync,addspn,adduser,addusertogroup,adinfo,aiacas,allschemaentry,asrep,badsuccessor_check,certify,certify2,certtemplates,changeowner,changesamaccountname,changeuserpw,computeraddr,constrained,create_broken_dmsa_user,dadms,delete,delspn,deluser,deluserfromgroup,disableuser,dmsaaddmanagedaccountprecededbylink,dmsas,dmsasetdelegatedmsastate,dn2sam,dn2sid,dnsadd,dnsdelete,dnsdump,dnsgetserial,dnsmodify,dnsquery,dnsqueryall,dnsremove,dnsrestore,dnssoa,dnszones,dump,enableuser,enrollmentservices,genschema,getsd,gmsa,gpos,groupmembers,groupmembership,laps,lapstarget,ldapinfo,machine,modify,ntcas,pre2000,query,rootcas,s4u2proxy,sam2dn,schemaentry,setsd,shadowcred,sid2dn,sidresolv,spns,tree,trusts,unconstrained,unlockuser,user,whoami,whoamiraw}
...
options:
-h, --help show this help message and exit
msldap commands:
{add_genericwrite,addallowedtoactonbehalfofotheridentity,addcerttemplatenameflagaltname,addcomputer,addenrollmentright,addhostname,addprivaddmember,addprivdcsync,addspn,adduser,addusertogroup,adinfo,aiacas,allschemaentry,asrep,badsuccessor_check,certify,certify2,certtemplates,changeowner,changesamaccountname,changeuserpw,computeraddr,constrained,create_broken_dmsa_user,dadms,delete,delspn,deluser,deluserfromgroup,disableuser,dmsaaddmanagedaccountprecededbylink,dmsas,dmsasetdelegatedmsastate,dn2sam,dn2sid,dnsadd,dnsdelete,dnsdump,dnsgetserial,dnsmodify,dnsquery,dnsqueryall,dnsremove,dnsrestore,dnssoa,dnszones,dump,enableuser,enrollmentservices,genschema,getsd,gmsa,gpos,groupmembers,groupmembership,laps,lapstarget,ldapinfo,machine,modify,ntcas,pre2000,query,rootcas,s4u2proxy,sam2dn,schemaentry,setsd,shadowcred,sid2dn,sidresolv,spns,tree,trusts,unconstrained,unlockuser,user,whoami,whoamiraw}
add_genericwrite Adds a generic write ACE to a target object
addallowedtoactonbehalfofotheridentity
Adds a SID to the msDS-
AllowedToActOnBehalfOfOtherIdentity protperty of
target_dn
addcerttemplatenameflagaltname
Modifyies the msPKI-Certificate-Name-Flag value of the
specified certificate template and enables
ENROLLEE_SUPPLIES_SUBJECT_ALT_NAME bit. If 'flags' is
present then it will assign that value.
addcomputer Adds a new computer account
addenrollmentright Grants enrollment rights to a user (by DN) for the
specified certificate template.
addhostname Adds additional hostname to computer account
addprivaddmember Adds AddMember rights to the user on the group
specified by group_dn
addprivdcsync Adds DCSync rights to the given user by modifying the
forest's Security Descriptor to add GetChanges and
GetChangesAll ACE
addspn Adds an SPN entry to the users account
adduser Creates a new domain user with password
addusertogroup Adds user to specified group. Both user and group must
be in DN format!
adinfo Prints detailed Active Driectory info
aiacas Lists AIA CA certificates
allschemaentry Feteches all schema object entry objects
asrep Fetches ASREP-roastable user accounts
badsuccessor_check Checks if Badsuccessor vulnerability is present on the
domain
certify ADCA security test
certify2 ADCA security test - new version
certtemplates Lists certificate templates
changeowner Changes the owner in a Security Descriptor to the
new_owner_sid on an LDAP object or on an LDAP object's
attribute identified by target_dn and
target_attribute. target_attribute can be omitted to
change the target_dn's SD's owner
changesamaccountname
Changes the sAMAccountName of a given DN
changeuserpw Changes user password, if you are admin then old pw
doesnt need to be supplied
computeraddr Fetches all computer accounts
constrained Lists all constrained delegation objects
create_broken_dmsa_user
This will create a dmsa service user that can be used
for neferious reasons, but DO NOT USE THIS FOR
ANYTHING ELSE!
dadms Lists all members of the domain administrators group
delete Remove an object identified by its DN
delspn Removes an SPN entry to the users account
deluser Deletes the user! This action is irrecoverable
(actually domain admins can do that but probably will
shout with you)
deluserfromgroup Removes user from specified group. Both user and group
must be in DN format!
disableuser Unlock user by flipping useraccountcontrol bits
dmsaaddmanagedaccountprecededbylink
Adds a managed account preceded by link to a DMSA
dmsas Lists all delegated managed service accounts (DMSA)
dmsasetdelegatedmsastate
Sets the delegated MSA state of a DMSA
dn2sam Fetches the sAMAccountName of an object based on the
DN
dn2sid Fetches the objectSid of an object based on the DN
dnsadd Adds a DNS record for a given target
dnsdelete Deletes a DNS record for a given target (completely
removes the record from the AD)
dnsdump Execute dnsdump from MSLDAPClientConsole
dnsgetserial Gets the serial number of a DNS record for a given
zone
dnsmodify Modifies a DNS record for a given target
dnsquery Queries a DNS record for a given target
dnsqueryall Queries all DNS records for a given zone
dnsremove Removes a DNS record for a given target (tombstones
the record)
dnsrestore Restores a DNS record for a given target
dnssoa Prints the SOA record of a given zone
dnszones Lists all DNS zones
dump Fetches ALL user and machine accounts from the domain
with a LOT of attributes
enableuser Unlock user by flipping useraccountcontrol bits
enrollmentservices Lists AIA CA certificates
genschema Generates schema data. This will take a long time.
getsd Feteches security info for a given DN
gmsa Lists all managed service accounts (MSA). If user has
permissions it retrieves the password as well
gpos Feteches security info for a given DN
groupmembers Returns all member users in a group specified by DN
groupmembership Feteches names all groupnames the user is a member of
for a given DN
laps Feteches all laps passwords
lapstarget Feteches all laps password for a given machine
ldapinfo Prints detailed LDAP connection info (DSA)
machine Feteches a machine object based on the sAMAccountName
of the machine
modify Modify an attribute of object. Only works with string
data types!
ntcas Lists NT CA certificates
pre2000 Lists potentially abusable machine accounts created
with pre windows-2000 flag
query Performs a raw LDAP query against the server.
Secondary parameter is the requested attributes
SEPARATED WITH COMMA (,)
rootcas Lists Root CA certificates
s4u2proxy Lists all S4U2Proxy objects
sam2dn Fetches the DN of an object based on the
sAMAccountName
schemaentry Feteches a schema object entry object based on the DN
of the object (must start with CN=)
setsd Updates the security descriptor of an object
shadowcred Execute shadowcred from MSLDAPClientConsole
sid2dn Fetches the DN of an object based on the objectSid
sidresolv Returns the domain and username for SID
spns Fetches kerberoastable user accounts
tree Prints a tree from the given DN (if not set, the top)
and with a given depth (default: 1)
trusts Feteches gives back domain trusts
unconstrained Lists all unconstrained delegation objects
unlockuser Unlock user by setting lockoutTime to 0
user Feteches a user object based on the sAMAccountName of
the user
whoami Full whoami
whoamiraw Simple whoami
msldap add_genericwrite
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap add_genericwrite -h
usage: bloodyAD msldap add_genericwrite [-h] targetdn userdn
positional arguments:
targetdn targetdn
userdn userdn
options:
-h, --help show this help message and exit
msldap addallowedtoactonbehalfofotheridentity
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap addallowedtoactonbehalfofotheridentity -h
usage: bloodyAD msldap addallowedtoactonbehalfofotheridentity
[-h] target_dn other_identity_sid
positional arguments:
target_dn target_dn
other_identity_sid other_identity_sid
options:
-h, --help show this help message and exit
msldap addcerttemplatenameflagaltname
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap addcerttemplatenameflagaltname -h
usage: bloodyAD msldap addcerttemplatenameflagaltname [-h] [--flags FLAGS]
certtemplatename
positional arguments:
certtemplatename certtemplatename
options:
-h, --help show this help message and exit
--flags FLAGS flags (default: None)
msldap addcomputer
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap addcomputer -h
usage: bloodyAD msldap addcomputer [-h] [--computername COMPUTERNAME]
[--password PASSWORD]
options:
-h, --help show this help message and exit
--computername COMPUTERNAME
computername (default: None)
--password PASSWORD password (default: None)
msldap addenrollmentright
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap addenrollmentright -h
usage: bloodyAD msldap addenrollmentright [-h] certtemplatename user_dn
positional arguments:
certtemplatename certtemplatename
user_dn user_dn
options:
-h, --help show this help message and exit
msldap addhostname
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap addhostname -h
usage: bloodyAD msldap addhostname [-h] user_dn hostname
positional arguments:
user_dn user_dn
hostname hostname
options:
-h, --help show this help message and exit
msldap addprivaddmember
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap addprivaddmember -h
usage: bloodyAD msldap addprivaddmember [-h] user_dn group_dn
positional arguments:
user_dn user_dn
group_dn group_dn
options:
-h, --help show this help message and exit
msldap addprivdcsync
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap addprivdcsync -h
usage: bloodyAD msldap addprivdcsync [-h] [--forest FOREST] user_dn
positional arguments:
user_dn user_dn
options:
-h, --help show this help message and exit
--forest FOREST forest (default: None)
msldap addspn
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap addspn -h
usage: bloodyAD msldap addspn [-h] user_dn spn
positional arguments:
user_dn user_dn
spn spn
options:
-h, --help show this help message and exit
msldap adduser
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap adduser -h
usage: bloodyAD msldap adduser [-h] user_dn password
positional arguments:
user_dn user_dn
password password
options:
-h, --help show this help message and exit
msldap addusertogroup
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap addusertogroup -h
usage: bloodyAD msldap addusertogroup [-h] user_dn group_dn
positional arguments:
user_dn user_dn
group_dn group_dn
options:
-h, --help show this help message and exit
msldap adinfo
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap adinfo -h
usage: bloodyAD msldap adinfo [-h]
options:
-h, --help show this help message and exit
msldap aiacas
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap aiacas -h
usage: bloodyAD msldap aiacas [-h]
options:
-h, --help show this help message and exit
msldap allschemaentry
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap allschemaentry -h
usage: bloodyAD msldap allschemaentry [-h]
options:
-h, --help show this help message and exit
msldap asrep
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap asrep -h
usage: bloodyAD msldap asrep [-h]
options:
-h, --help show this help message and exit
msldap badsuccessor_check
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap badsuccessor_check -h
usage: bloodyAD msldap badsuccessor_check [-h]
options:
-h, --help show this help message and exit
msldap certify
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap certify -h
usage: bloodyAD msldap certify [-h] [--cmd CMD] [--username USERNAME]
options:
-h, --help show this help message and exit
--cmd CMD cmd (default: None)
--username USERNAME username (default: None)
msldap certify2
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap certify2 -h
usage: bloodyAD msldap certify2 [-h] [--username USERNAME]
options:
-h, --help show this help message and exit
--username USERNAME username (default: None)
msldap certtemplates
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap certtemplates -h
usage: bloodyAD msldap certtemplates [-h] [--name NAME]
options:
-h, --help show this help message and exit
--name NAME name (default: None)
msldap changeowner
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap changeowner -h
usage: bloodyAD msldap changeowner [-h] [--target-attribute TARGET_ATTRIBUTE]
new_owner_sid target_dn
positional arguments:
new_owner_sid new_owner_sid
target_dn target_dn
options:
-h, --help show this help message and exit
--target-attribute TARGET_ATTRIBUTE
target_attribute (default: None)
msldap changesamaccountname
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap changesamaccountname -h
usage: bloodyAD msldap changesamaccountname [-h] dn newname
positional arguments:
dn dn
newname newname
options:
-h, --help show this help message and exit
msldap changeuserpw
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap changeuserpw -h
usage: bloodyAD msldap changeuserpw [-h] [--oldpass OLDPASS] user_dn newpass
positional arguments:
user_dn user_dn
newpass newpass
options:
-h, --help show this help message and exit
--oldpass OLDPASS oldpass (default: None)
msldap computeraddr
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap computeraddr -h
usage: bloodyAD msldap computeraddr [-h]
options:
-h, --help show this help message and exit
msldap constrained
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap constrained -h
usage: bloodyAD msldap constrained [-h]
options:
-h, --help show this help message and exit
msldap create_broken_dmsa_user
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap create_broken_dmsa_user -h
usage: bloodyAD msldap create_broken_dmsa_user [-h] user_dn computersid
positional arguments:
user_dn user_dn
computersid computersid
options:
-h, --help show this help message and exit
msldap dadms
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap dadms -h
usage: bloodyAD msldap dadms [-h]
options:
-h, --help show this help message and exit
msldap delete
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap delete -h
usage: bloodyAD msldap delete [-h] [--confirm CONFIRM] dn
positional arguments:
dn dn
options:
-h, --help show this help message and exit
--confirm CONFIRM confirm (default: NO)
msldap delspn
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap delspn -h
usage: bloodyAD msldap delspn [-h] user_dn spn
positional arguments:
user_dn user_dn
spn spn
options:
-h, --help show this help message and exit
msldap deluser
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap deluser -h
usage: bloodyAD msldap deluser [-h] user_dn
positional arguments:
user_dn user_dn
options:
-h, --help show this help message and exit
msldap deluserfromgroup
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap deluserfromgroup -h
usage: bloodyAD msldap deluserfromgroup [-h] user_dn group_dn
positional arguments:
user_dn user_dn
group_dn group_dn
options:
-h, --help show this help message and exit
msldap disableuser
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap disableuser -h
usage: bloodyAD msldap disableuser [-h] user_dn
positional arguments:
user_dn user_dn
options:
-h, --help show this help message and exit
msldap dmsaaddmanagedaccountprecededbylink
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap dmsaaddmanagedaccountprecededbylink -h
usage: bloodyAD msldap dmsaaddmanagedaccountprecededbylink [-h]
dn
managedaccountprecededbylink
positional arguments:
dn dn
managedaccountprecededbylink
managedaccountprecededbylink
options:
-h, --help show this help message and exit
msldap dmsas
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap dmsas -h
usage: bloodyAD msldap dmsas [-h]
options:
-h, --help show this help message and exit
msldap dmsasetdelegatedmsastate
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap dmsasetdelegatedmsastate -h
usage: bloodyAD msldap dmsasetdelegatedmsastate [-h] dn delegatedmsastate
positional arguments:
dn dn
delegatedmsastate delegatedmsastate
options:
-h, --help show this help message and exit
msldap dn2sam
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap dn2sam -h
usage: bloodyAD msldap dn2sam [-h] dn
positional arguments:
dn dn
options:
-h, --help show this help message and exit
msldap dn2sid
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap dn2sid -h
usage: bloodyAD msldap dn2sid [-h] dn
positional arguments:
dn dn
options:
-h, --help show this help message and exit
msldap dnsadd
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap dnsadd -h
usage: bloodyAD msldap dnsadd [-h] [--zone ZONE] [--forest] [--legacy]
target ip
positional arguments:
target target
ip ip
options:
-h, --help show this help message and exit
--zone ZONE zone (default: None)
--forest forest (default: False)
--legacy legacy (default: False)
msldap dnsdelete
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap dnsdelete -h
usage: bloodyAD msldap dnsdelete [-h] [--zone ZONE] [--forest] [--legacy]
target
positional arguments:
target target
options:
-h, --help show this help message and exit
--zone ZONE zone (default: None)
--forest forest (default: False)
--legacy legacy (default: False)
msldap dnsdump
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap dnsdump -h
usage: bloodyAD msldap dnsdump [-h] [--zone ZONE]
options:
-h, --help show this help message and exit
--zone ZONE zone (default: None)
msldap dnsgetserial
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap dnsgetserial -h
usage: bloodyAD msldap dnsgetserial [-h] [--zone ZONE] [--forest] [--legacy]
options:
-h, --help show this help message and exit
--zone ZONE zone (default: None)
--forest forest (default: False)
--legacy legacy (default: False)
msldap dnsmodify
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap dnsmodify -h
usage: bloodyAD msldap dnsmodify [-h] [--zone ZONE] [--forest] [--legacy]
target ip
positional arguments:
target target
ip ip
options:
-h, --help show this help message and exit
--zone ZONE zone (default: None)
--forest forest (default: False)
--legacy legacy (default: False)
msldap dnsquery
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap dnsquery -h
usage: bloodyAD msldap dnsquery [-h] [--zone ZONE] [--forest] [--legacy]
target
positional arguments:
target target
options:
-h, --help show this help message and exit
--zone ZONE zone (default: None)
--forest forest (default: False)
--legacy legacy (default: False)
msldap dnsqueryall
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap dnsqueryall -h
usage: bloodyAD msldap dnsqueryall [-h] [--zone ZONE] [--forest] [--legacy]
options:
-h, --help show this help message and exit
--zone ZONE zone (default: None)
--forest forest (default: False)
--legacy legacy (default: False)
msldap dnsremove
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap dnsremove -h
usage: bloodyAD msldap dnsremove [-h] [--zone ZONE] [--forest] [--legacy]
target ip
positional arguments:
target target
ip ip
options:
-h, --help show this help message and exit
--zone ZONE zone (default: None)
--forest forest (default: False)
--legacy legacy (default: False)
msldap dnsrestore
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap dnsrestore -h
usage: bloodyAD msldap dnsrestore [-h] [--zone ZONE] [--forest] [--legacy]
target
positional arguments:
target target
options:
-h, --help show this help message and exit
--zone ZONE zone (default: None)
--forest forest (default: False)
--legacy legacy (default: False)
msldap dnssoa
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap dnssoa -h
usage: bloodyAD msldap dnssoa [-h] [--zone ZONE] [--forest] [--legacy]
options:
-h, --help show this help message and exit
--zone ZONE zone (default: None)
--forest forest (default: False)
--legacy legacy (default: False)
msldap dnszones
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap dnszones -h
usage: bloodyAD msldap dnszones [-h] [--to-print-props]
options:
-h, --help show this help message and exit
--to-print-props to_print_props (default: False)
msldap dump
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap dump -h
usage: bloodyAD msldap dump [-h]
options:
-h, --help show this help message and exit
msldap enableuser
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap enableuser -h
usage: bloodyAD msldap enableuser [-h] user_dn
positional arguments:
user_dn user_dn
options:
-h, --help show this help message and exit
msldap enrollmentservices
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap enrollmentservices -h
usage: bloodyAD msldap enrollmentservices [-h]
options:
-h, --help show this help message and exit
msldap genschema
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap genschema -h
usage: bloodyAD msldap genschema [-h]
options:
-h, --help show this help message and exit
msldap getsd
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap getsd -h
usage: bloodyAD msldap getsd [-h] [--opts OPTS] dn
positional arguments:
dn dn
options:
-h, --help show this help message and exit
--opts OPTS opts (default: )
msldap gmsa
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap gmsa -h
usage: bloodyAD msldap gmsa [-h]
options:
-h, --help show this help message and exit
msldap gpos
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap gpos -h
usage: bloodyAD msldap gpos [-h]
options:
-h, --help show this help message and exit
msldap groupmembers
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap groupmembers -h
usage: bloodyAD msldap groupmembers [-h] [--recursive] dn
positional arguments:
dn dn
options:
-h, --help show this help message and exit
--recursive recursive (default: True)
msldap groupmembership
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap groupmembership -h
usage: bloodyAD msldap groupmembership [-h] dn
positional arguments:
dn dn
options:
-h, --help show this help message and exit
msldap laps
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap laps -h
usage: bloodyAD msldap laps [-h]
options:
-h, --help show this help message and exit
msldap lapstarget
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap lapstarget -h
usage: bloodyAD msldap lapstarget [-h] machinesid
positional arguments:
machinesid machinesid
options:
-h, --help show this help message and exit
msldap ldapinfo
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap ldapinfo -h
usage: bloodyAD msldap ldapinfo [-h]
options:
-h, --help show this help message and exit
msldap machine
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap machine -h
usage: bloodyAD msldap machine [-h] samaccountname
positional arguments:
samaccountname samaccountname
options:
-h, --help show this help message and exit
msldap modify
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap modify -h
usage: bloodyAD msldap modify [-h] dn attribute value
positional arguments:
dn dn
attribute attribute
value value
options:
-h, --help show this help message and exit
msldap ntcas
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap ntcas -h
usage: bloodyAD msldap ntcas [-h]
options:
-h, --help show this help message and exit
msldap pre2000
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap pre2000 -h
usage: bloodyAD msldap pre2000 [-h]
options:
-h, --help show this help message and exit
msldap query
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap query -h
usage: bloodyAD msldap query [-h] [--attributes ATTRIBUTES] query
positional arguments:
query query
options:
-h, --help show this help message and exit
--attributes ATTRIBUTES
attributes (default: -)
msldap rootcas
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap rootcas -h
usage: bloodyAD msldap rootcas [-h]
options:
-h, --help show this help message and exit
msldap s4u2proxy
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap s4u2proxy -h
usage: bloodyAD msldap s4u2proxy [-h]
options:
-h, --help show this help message and exit
msldap sam2dn
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap sam2dn -h
usage: bloodyAD msldap sam2dn [-h] sAMAccountName
positional arguments:
sAMAccountName sAMAccountName
options:
-h, --help show this help message and exit
msldap schemaentry
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap schemaentry -h
usage: bloodyAD msldap schemaentry [-h] cn
positional arguments:
cn cn
options:
-h, --help show this help message and exit
msldap setsd
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap setsd -h
usage: bloodyAD msldap setsd [-h] target_dn sddl
positional arguments:
target_dn target_dn
sddl sddl
options:
-h, --help show this help message and exit
msldap shadowcred
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap shadowcred -h
usage: bloodyAD msldap shadowcred [-h] targetuser
positional arguments:
targetuser targetuser
options:
-h, --help show this help message and exit
msldap sid2dn
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap sid2dn -h
usage: bloodyAD msldap sid2dn [-h] sid
positional arguments:
sid sid
options:
-h, --help show this help message and exit
msldap sidresolv
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap sidresolv -h
usage: bloodyAD msldap sidresolv [-h] sid
positional arguments:
sid sid
options:
-h, --help show this help message and exit
msldap spns
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap spns -h
usage: bloodyAD msldap spns [-h]
options:
-h, --help show this help message and exit
msldap tree
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap tree -h
usage: bloodyAD msldap tree [-h] [--dn DN] [--level LEVEL]
options:
-h, --help show this help message and exit
--dn DN dn (default: None)
--level LEVEL level (default: 1)
msldap trusts
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap trusts -h
usage: bloodyAD msldap trusts [-h]
options:
-h, --help show this help message and exit
msldap unconstrained
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap unconstrained -h
usage: bloodyAD msldap unconstrained [-h]
options:
-h, --help show this help message and exit
msldap unlockuser
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap unlockuser -h
usage: bloodyAD msldap unlockuser [-h] user_dn
positional arguments:
user_dn user_dn
options:
-h, --help show this help message and exit
msldap user
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap user -h
usage: bloodyAD msldap user [-h] samaccountname
positional arguments:
samaccountname samaccountname
options:
-h, --help show this help message and exit
msldap whoami
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap whoami -h
usage: bloodyAD msldap whoami [-h]
options:
-h, --help show this help message and exit
msldap whoamiraw
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> msldap whoamiraw -h
usage: bloodyAD msldap whoamiraw [-h]
options:
-h, --help show this help message and exit
remove Commands
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> remove -h
usage: bloodyAD remove [-h]
{dcsync,dnsRecord,genericAll,groupMember,object,rbcd,shadowCredentials,uac}
...
options:
-h, --help show this help message and exit
remove commands:
{dcsync,dnsRecord,genericAll,groupMember,object,rbcd,shadowCredentials,uac}
dcsync Remove DCSync right for provided trustee
dnsRecord Remove a DNS record of an AD environment.
genericAll Remove full control of trustee on target
groupMember Remove member (user, group, computer) from group
object Remove object (user, group, computer, organizational
unit, etc)
rbcd Remove Resource Based Constraint Delegation for
service on target
shadowCredentials Remove Key Credentials from target
uac Remove property flags altering user/computer object
behavior
remove dcsync
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> remove dcsync -h
usage: bloodyAD remove dcsync [-h] trustee
positional arguments:
trustee sAMAccountName, DN or SID of the trustee
options:
-h, --help show this help message and exit
remove dnsRecord
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> remove dnsRecord -h
usage: bloodyAD remove dnsRecord [-h]
[--dnstype {A,AAAA,CNAME,MX,PTR,SRV,TXT}]
[--zone ZONE] [--ttl TTL]
[--preference PREFERENCE] [--port PORT]
[--priority PRIORITY] [--weight WEIGHT]
[--forest]
name data
positional arguments:
name name of the dnsNode object (hostname) which contains
the record
data DNS record data
options:
-h, --help show this help message and exit
--dnstype {A,AAAA,CNAME,MX,PTR,SRV,TXT}
DNS record type (default: A)
--zone ZONE DNS zone (default: CurrentDomain)
--ttl TTL DNS record TTL (default: None)
--preference PREFERENCE
DNS MX record preference (default: None)
--port PORT listening port of the service in a DNS SRV record
(default: None)
--priority PRIORITY priority of a DNS SRV record against concurrent
(default: None)
--weight WEIGHT weight of a DNS SRV record against concurrent
(default: None)
--forest if set, will fetch the dns record in forest instead of
domain (default: False)
The options must be used if:
* The record is not an A type (you must provide other options depending of the type but TTL is always optional)
* The record is not in the DOMAIN zone
* The record is in the Forest DNS Partition and Not the Domain DNS Partition
Simplest usage:
$ bloodyAD --host 10.1.0.4 -u <username> -p <password> -d bloody remove dnsRecord test.bloody.local 8.8.8.8
remove genericAll
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> remove genericAll -h
usage: bloodyAD remove genericAll [-h] target trustee
positional arguments:
target sAMAccountName, DN or SID of the target
trustee sAMAccountName, DN or SID of the trustee
options:
-h, --help show this help message and exit
remove groupMember
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> remove groupMember -h
usage: bloodyAD remove groupMember [-h] group member
positional arguments:
group sAMAccountName, DN or SID of the group
member sAMAccountName, DN or SID of the member
options:
-h, --help show this help message and exit
remove object
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> remove object -h
usage: bloodyAD remove object [-h] target
positional arguments:
target sAMAccountName, DN or SID of the target
options:
-h, --help show this help message and exit
remove rbcd
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> remove rbcd -h
usage: bloodyAD remove rbcd [-h] target service
positional arguments:
target sAMAccountName, DN or SID of the target
service sAMAccountName, DN or SID of the service account
options:
-h, --help show this help message and exit
remove shadowCredentials
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> remove shadowCredentials -h
usage: bloodyAD remove shadowCredentials [-h] [--key KEY] target
positional arguments:
target sAMAccountName, DN or SID of the target
options:
-h, --help show this help message and exit
--key KEY RSA key of Key Credentials to remove from the target, removes
all if key not specified (default: None)
remove uac
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> remove uac -h
usage: bloodyAD remove uac [-h] [-f F] target
positional arguments:
target sAMAccountName, DN or SID of the target
options:
-h, --help show this help message and exit
-f F name of property flag to remove, can be called multiple times if
multiple flags to remove (e.g -f LOCKOUT -f ACCOUNTDISABLE)
(default: None)
set Commands
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> set -h
usage: bloodyAD set [-h] {object,owner,password,restore} ...
options:
-h, --help show this help message and exit
set commands:
{object,owner,password,restore}
object Add/Replace/Delete target's attribute
owner Changes target ownership with provided owner
(WriteOwner permission required)
password Change password of a user/computer
restore Restore a deleted object
set object
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> set object -h
usage: bloodyAD set object [-h] [-v V] [--raw] [--b64] target attribute
positional arguments:
target sAMAccountName, DN or SID of the target
attribute name of the attribute
options:
-h, --help show this help message and exit
-v V add value if attribute doesn't exist, replace value if attribute
exists, delete if no value given, can be called multiple times
if multiple values to set (e.g -v HOST/janettePC -v
HOST/janettePC.bloody.local) (default: [])
--raw if set, will try to send the values provided as is, without any
encoding (default: False)
--b64 expect base64 values in -v (available only with --raw) (default:
False)
set owner
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> set owner -h
usage: bloodyAD set owner [-h] target owner
positional arguments:
target sAMAccountName, DN or SID of the target
owner sAMAccountName, DN or SID of the new owner
options:
-h, --help show this help message and exit
β οΈ Warning
If you only have [WRITE_OWNER](https://github.com/CravateRouge/bloodyAD/wiki/Access-Control#rights) or SE_TAKE_OWNERSHIP_PRIVILEGE, you can only set yourself as owner. You must have DS-Set-Owner on the domain or SeRestorePrivilege to set any other users as owners (see [MS-ADTS] 6.1.3.5 and [this article](https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects#policy-management))
set password
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> set password -h
usage: bloodyAD set password [-h] [--oldpass OLDPASS] target newpass
positional arguments:
target sAMAccountName, DN or SID of the target
newpass new password for the target
options:
-h, --help show this help message and exit
--oldpass OLDPASS old password of the target, mandatory if you don't have
"change password" permission on the target (default:
None)
π Note
You can use `oldpass` to change the password of another user without having any special right on it.
(Useful when the target is locked because the password is expired)
set restore
$ bloodyAD -H 10.10.10.10 -d bloody -u <username> -p <password> set restore -h
usage: bloodyAD set restore [-h] [--newName NEWNAME] [--newParent NEWPARENT]
target
positional arguments:
target DN, sAMAccountName (or name for GPO) or SID of the
target (avoid sAMAccountName if there is a duplicate)
options:
-h, --help show this help message and exit
--newName NEWNAME new name for the restored object (update also
sAMAccountName, UPN, SPN...), if not provided will use
the last known RDN (default: None)
--newParent NEWPARENT
new parent for the restored object, if not provided
will use the last known parent (default: None)